Audits & Security
The Honeyswap contracts have been audited by CertiK security assessors. You can read their audit report below.
Some changes have been made to the contracts post-audit. However, the core mechanisms remain unchanged. As a result, the audit still provides a valid assessment of the current state of the security of the main contracts. The airdrop contracts have not been audited. However, the airdrop contract only holds the airdrop funds and do not interact or influence the farming contracts in any way.
- The farming contract allows users to deposit ERC20 tokens into set pools and earn rewards in another token proportional to their share in the pool
- The contract tracks multiple pools
- Depositors can set a referrer upon depositing which will get rewarded proportionally to the rewards earned by the depositor
- The rewards are xComb tokens referred to as
hsfTokenin the code
- Depositors may lock their deposit for a fixed period of time to own a larger share of the pool and thus the rewards
- ReferralRewarder.sol: stores rewards for referrers
- HSFToken.sol: ERC20 reward token
- HoneyFarm.sol: Keeps track of pools and deposits
As the contract deals with deposit tokens and the reward token one must ensure that the relevant transfers are only called when appropriate and with the correct parameters. Furthermore any state that may lead to their invocation has to be checked to make sure that it’s correctly updated.
- Uses the standard ERC20 implementation from the OpenZeppelin smart contract library
_mint()method is only called once during construction with the total supply credited to the deployer
- The reward token has no additional embedded functionality
Potential detected failure points
- has an immutable
exchangeRateproperty that determines how referrers are compensated
- Tokens are only transferred within the
- Uses the standard
Ownableimplementation from the OpenZepplin library for method access restriction (not fully compatible with ERC173, missing
- Is access restricted so that only the owner address may call it
- Scales the given
rewardparameter by the
- compares reward to balance to ensure that the method doesn’t revert due to insufficient funds
- fires a
MissingRewardevent incase the method failed to provide the necessary reward
Potential detected failure points
- May run out of rewards: deployer can ensure the contract cannot run out by depositing enough rewards such that
rewarder_reserves = exchange_rate * total_farm_reward_dist
- Owner can drain contract: draining is prevented by setting the owner to the farming contract after deployment
- distributeReward may revert due to integer overflow: aslong as the
exchangeRateparamater is set to less than
type(uint256).max / rewardToken.totalSupply() + 1it cannot overflow when performing the multiplication
General - Definitions & Maths:
- Total reward distribution: All rewards in the farming contract are paid out in the form of the reward token. The amount being distributed at any time t can be denoted by the function d(t)=m⋅t+ds where m is the slope of the line and ds is the starting distribution rate. If te is the time at which distribution ends, the distribution rate at the end de is d(te). Since we want the distribution rate to decrease over time we’ll denote de as a percentage r of ds, so de=r⋅ds . The total HSF to be distributed s is the area under the graph between 0 and te
Since the graph is just a sloped line, the area underneath it can be broken down into a triangle and rectangle. The sum of their areas should be equal to the total reward distribution:
Now that the starting distribution rate is calculated one can easily calculate the slope since it’s simply the change in the distribution rate divided by the time:
Since the slope will be negative and it’s simpler to deal with positive, unsigned numbers the contract simply stores the flipped sign value and negates it via subtraction instead of addition in the calculations where it’s used:
The above calculations are used in the constructor to calculate the slope and the starting distribution rate. Note that since solidity doesn’t support fractional numbers the scaling constant
SCALEis used to scale fractional numbers up and down.
The final piece of math that is needed is how to calculate the amount to be distributed between two arbitrary time points d(t1,t2), this can be done by integrating our d(t) function over that period. All that means is calculating the area under the graph during that period. To do that one again can simply splits the area into geometric shapes to calculate its area and simplifies the resulting equation:
Which brings us to the final equation which is used in the
getDistributionmethod. The result is scaled by the
Since the amount of outputed rewards will be steadily decreasing m will be a negative value. Since it’s simpler to only have to deal with positive numbers in the code we use the formula above where m is negated, −m is thus positive and is the value that is actually stored in the
- Pools: The farming contract distributes rewards in the reward token to all its pools, proportional to their allocation. Each pool tracks a single ERC20 token. So if a pool is allocated 20% of their rewards and a user’s deposit has 50% of the total shares in the pool, that user will receive 10% of the total distributed rewards so long as these parameters do not change.
- Keeping track of rewards: The rewards a given deposit accrues is dependant on its shares relative to the total shares contained in the pool. Shares are calculated by taking the token deposit amount times a multiplier. For non-timelocked deposits the multiplier is 1. For timelocked deposits the multiplier increases linearly with lock length.
General - Publicly accessible properties:
SCALE: constant, by what value calculations are scaled to maintain precision. If
SCALEis say 10^18 then the value 0.1 would be stored as 0.1 *
SCALEso 10^17. This is done to maintain precision in different calculations throughout the contract
hsf: immutable, address of the reward token
referralRewarder: address of the referral rewarder, while not explicitly immutable it can only be set once in the lifetime of the contract in the
poolInfo: returns information for a certain pool when given the pool token’s address. Pool information includes:
allocation: what share of the distributed rewards are allocated to the pool, always relative to the total allocation poitns
lastRewardTimestamp: the timestamp at which the pool’s information was last updated. A pool is updated every time a pool’s properties are changed, a new pool is created, a new deposit is created, closed or its rewards withdrawn
accHsfPerShare: represents the rewards one share unit would’ve accrued if staked since the beginning of the pool
totalShares: total shares current in the pool
totalAllocationPoints: total points allocated to different pools
totalDeposits: how many deposits have already been created, also used as the deposit ID of the next deposit
depositInfo: returns information for a certain deposit when given the deposit ID. Deposit information includes:
amount: deposited token amount
rewardDebt: used to account for reward accumulator pre-deposit
unlockTime: time at which the owner may withdraw his deposited tokens and close his deposit. 0 if the deposit isn’t locked
rewardShare: how many shares the deposit contains.
setRewards: earned rewards not accounted for via the reward accumulator. Typically only set if a deposit has been downgraded externally.
pool: pool that the deposit belongs to
referrer: the address set to receive referral rewards upon receiving rewards
distributionSlope: immutable, slope of the distribution function (−m
startDistribution: immutable, distribution per unit of time when distribution starts
minTimelock: imutable, shortest permitted time-locked deposit. Even when this value is above 0 it still allows non-locked deposits
maxTimeLock: immutable, longest permitted time-locked deposit
startTime: immutable, time at which reward distribution begins
endTime: immutable, time at which reward distribution ends
timeLockMultplier: immutable, multplying factor used when determining the share multiplier for time-locked deposits. Scaled by
timeLockConstant: immutable, constant factor used when determining the share multplier for time-locked deposits. Scaled by
downgradeFee: immutable, fee taken from the deposit’s underlying deposit amount (not rewards) when a deposit is downgraded. Scaled by
contractDisabledAt: timestamp at which the contract was disabled. Set to 0 if the contract hasn’t been disabled yet. Can only be set once
owner: returns the address of the current contract owner. The owner can add and adjust pools, set the baseURI used to determine the token URI and disable the contract. (what disabling entails is described below)
General - publicly accessible methods
This section does not include properties that behave like mentioned, these are mentioned in the section above.
Not explicitly listed here but also available are all the methods required to be compatible with the ERC721 standard. This includes the metadata and enumerable extension of the ERC721 standard as proposed in EIP721.
constructor(IERC20 _hsf, [uint256 _startTime, uint256 _endTime, uint256 _totalHsfToDistribute, uint256 _endDistributionFraction, uint256 _minTimeLock, uint256 _maxTimeLock, uint256 _timeLockMultiplier, uint256 _timeLockConstant, uint256 _downgradeFee]): Partially initializes the farming contract. Calculates and stores the
startDistributionproperties. Transfers the total required reward tokens to itself from the deployer address. Stores the different parameters into the relveant properties except for
_endDistributionFractionwhich are just used for the one-time calculation. Also checks whether the given
_endTimeis after the
_startTimeand if the maximum lock time is larger than the minimum lock time.
poolLength(): view, returns the amount of pools that the farm currently tracks.
getPoolByIndex(uint256 _index): view, returns a tuple of pool information when given a pool index. The pool information tuple contains the address of the ERC20 token that needs to be deposited in order to earn rewards (
poolToken) for that pool, as well as all the information returned by the poolInfo property in the same order.
setBaseURI: allows the owner to set the baseURI of the contract. The baseURI is used to determine the tokenURI as part of the ERC721 standard metadata extension.
disableContract: allows the owner to disable the contract. This withdraws any remaining rewards and allows all depositors to withdraw their tokens and accrued rewards regardless of the set unlock time. This is implemented as a more trustless alternative to the classical migrator method typically found in a lot of farming contracts.Emits a
add: adds a new pool if a pool for the specified ERC20 token does already exist.Emits a
PoolAdded(IERC20 indexed poolToken, uint256 allocation)event with the token address and allocation points for the new pool.
set: adjusts the allocation points of a given pool.Emits a
PoolUpdated(IERC20 indexed poolToken, uint256 allocation)event with the token address and the new allocation points.
getDistribution(uint256 _from, uint256 _to): view, returns the total rewards that the contract will or has distributed between two timestamps. Result scaled by
getTimeMultiple(uint256 _unlockTime): view, returns the multiple a deposit with an unlock time of
_unlockTimeif created with the current
block.timestamp. Result scaled by
pendingHsf(uint256 _depositId): view, returns the pending rewards for the deposit with a deposit ID of
0if the deposit does not exist. To verify whether a deposit exists simply use the
ownerOf(uint256 _depositId)method. If it reverts a deposit with the given ID does not exist.
createDeposit(IERC20 _poolToken, uint256 _amount, uint256 _unlockTime, address _referrer): creates a new deposit in the specified pool. Create a non-locked deposit if the
_unlockTimeparameter is set to
0. Requires the creator to have approved the contract to spend at least
_amounttokens and actually have the required balance. To indicate no referrer simply call the
createDepositmethod with the zero address as the referrer. Contracts which create deposits must make sure that they’re able to appropriately handle incoming ERC721 token as specified in EIP721.Emits a
Transfer(address indexed from, address indexed to, uint256 indexed tokenId)event with the
fromaddress being the zero address.Emits a
Referred(address indexed referrer, uint256 depositId)event if the set referrer is not the zero address.
closeDeposit(uint256 _depositId): closes the deposit if the sender is the owner of the deposit. Also to be able to close the deposit the deposit must either be a non-locked deposit or the
unlockTimemust have passed. Locked deposits may be unlocked early if the owner address decides to disable the contract. Returns the deposited tokens as well as the accrued rewards to the one closing their deposit. As well as rewarding the referral address (if present).Emits a
Transfer(address indexed from, address indexed to, uint256 indexed tokenId)event with the
toaddress being the zero address.Emits a
MissingReward(address indexed referrer, uint256 owedReward)event from the referral rewarder address if it has run out of rewards.
setReferralRewarder: sets the address for the referral rewarder. Can only be called once by the owner address and completes the initialization of the farm.
withdrawRewards(uint256 _depositId): must be called by the owner of the deposit. Withdraws the rewards and resets the accumulator. Also downgrades the deposit if the unlock time has passed. Also sends the referrer rewards (if one was set). Partially withdraws the original deposit as part of downgrade reward (if the deposit was downgraded in as part of the call)Emits a
DepositDowngraded(address indexed downgrader, uint256 indexed depositId, uint256 downgradeReward)event if the deposit has been downgraded.Emits a
RewardsWithdraw(uint256 indexed depositId, uint256 rewardAmount)event with the outgoing xComb rewards as the
MissingReward(address indexed referrer, uint256 owedReward)event from the referral rewarder address if it has run out of rewards (never fired if no referrer set).
downgradeExpired(uint256 _depositId): allows anyone to downgrade a deposit who’s unlock time has passed and which hasn’t been downgraded yet. Gives the caller a part of the original deposit as part of a downgrade reward. The part that is given as a reward is determined by the percentage stored in the
DepositDowngraded(address indexed downgrader, uint256 indexed depositId, uint256 downgradeReward)event if the deposit has been downgraded with the caller as the
updatePool(IERC20 _poolToken): updates the accumulator of the pool with the given
_poolToken. Does not emit a
updatePoolon all pools